#######################################################################
Luigi Auriemma
Application: America's Army 3
http://www.americasarmy.com/aa3.php
Versions: <= 3.0.6
Platforms: Windows
Bug: resources consumption and crash
Exploitation: remote, versus server
Date: 13 Jul 2009
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
America's Army 3 (AA3) is the new free game of the AA series developed
for the U.S. Army as an help with the military recruitments.
Released about 20 days ago it's already played by thousands of players
and with more than 400 online servers
(http://login.aa3.americasarmy.com/servers).
#######################################################################
======
2) Bug
======
AA3 is affected by an unusual and weird problem in the handling of the
incoming players and their authentiation with the master server since
everytime that a player joins the server he is automatically verified
with this centralized AA3 authentication server
(auth.aa3.americasarmy.com).
With my Unreal Fake Players tool (unrealfp) is possible to test the
partial joining of players and during a normal test I noticed an huge
amount of errors referred to the MBS component plus the crash of the
whole server after some seconds.
The cause of the problem is not clear and has been verified only on my
test server (both GLOBAL and LAN) where have been confirmed the
following effects:
- CPU almost at 100%
- huge usage of the network bandwidth for the verification of the
players with the authentication server (for each player is performed
the resolution of the hostname auth.aa3.americasarmy.com and a TCP
connection to it)
- crash of the entire server after a variable amount of time (less
than 30 seconds in my tests)
Although the problem can be exploited with a "normal" fake players
attack I have seen better results with the usage of the JOINSPLIT
command which allows a single player to occupy various slots on the
server.
The following are the typical error messages visible in the server's
logs during the verification of the problem:
Log: MBSEngine Error -1
Log: MBS Error: -1 (length 84):
Log: [sdk->set_server_player_attribute():823] 'unable to set attribute of unknown player'
or
Log: MBSEngine Error -1
Log: MBS Error: -1 (length 33):
Log: error -1 (general error) occurred
#######################################################################
===========
3) The Code
===========
http://aluigi.org/fakep/unrealfp.zip
unrealfp -s JOINSPLIT 1 100 -l "ui_bink_master?Name=player?team=0?Face=0" SERVER 8777
if needed repeat the command (even 10 times) till the verification of
the vulnerability.
#######################################################################
======
4) Fix
======
No fix.
#######################################################################